Encrypt your web traffic

image

This is my fifth installment in my “Encrypt All The Things!” series.

Encrypt All The Things! [A Guide]

Today, we will encrypt all (or as much as possible) of your web traffic on Windows, Mac, Linux, & Android.

Your web traffic (what you request to view, what is sent to your browser to view, and what you post back in webforms when signing up for new accounts, uploading your photos, uploading your files… is all done in clear, unencrypted text unless the page you’re requesting or posting to begins with https://.   That “s” is the critical piece.  That means “secure”.  That means the web page was encrypted at the web server before being sent to your browser and anything you post (or fill in and submit) will be encrypted too.

But, Not So Fast!

There are several gotchas where that is NOT the case:

    1. You might be on an https site, but the site may have been coded poorly and the data you’re filling in might not be going back to an https page.  If so, then your data is being sent back in clear text over the open internet, and THAT’S more important than the page you’re viewing being encrypted (well, in many cases).  The page COULD be coded to post your data back to a non-secure page.
    2. Just because you’re on an https site, doesn’t mean that the site owners are trustworthy.  All it means is that the connection between the two of you is encrypted.  If you’re on a phishing website, it’s still the bad guys, even IF it’s encrypted.
    3. If you’re at work, it’s entirely possible that your employer has installed their OWN root certificates on YOUR work PC and your employer is acting as a man in the middle.  Even though you may be on an https website on a trusted website like https://google.com, your connection may be encrypted only between your PC and the equipment downstairs in the computer room in the very building you’re in.  Your employer can easily have access to ALL of your web traffic, record it, snoop it, and use it against you.  (We’ll spend some extra time on this one a little later in the article).
    4. If your PC already has malware on it, encrypted traffic is pretty much useless because they’ve already gotten behind all your protections and have access to everything you do BEFORE it gets encrypted and sent over the internet.  (Wipe your hard drive and start over.  Not kidding!)

So, What Do You Do?

    1. If the https site is coded poorly and is sending your data back, unencrypted, how do you know?  That’s a little complicated and unless you’re a web developer (and even IF you’re a web developer), it’s hard to tell sometimes.  In short, do this on a login page or a web page asking for your personal information:
      1. On your desktop browser, right-click the page and choose “View Source” or “View Page Source” or something similar to that.
      2. Look for something that starts with “<form “   Like this from EFF’s website, as an example:
        1. <form action=”https://supporters.eff.org/subscribe” method=”post” class=”newsletter-form” accept-charset=”UTF-8″>
      3. This is called a form and the “action” tells us WHERE our data goes when we submit it on that page.  Notice that it’s an “https” site?  That means it’s encrypted on our end before going back.  If it’s just “http” with no “s”, it’s being sent back in the clear, with ZERO encryption!
        1. What do you do?  Not much you can do about that.  But you CAN install the TOR browser.  It’ll encrypt EVERYTHING you do in the browser, and pass it through a peer to peer network, hopping through multiple other computers, before finally having the last computer actually send your data to the real website.  But, it’ll have to be unencrypted there before going across the internet to the site you wanted to post to.  You can’t force the website to receive your data encrypted.  You can only encrypt it on your end, pass it along a few PCs before it must be decrypted and sent in the clear.  That’ll at least block your ISP form seeing it or anyone snooping on your local network.  But it won’t stop a snoop on the OTHER end of the connection.
    2. How do you know if your employer is snooping on what you THOUGHT was an encrypted connection?
      1. In Chrome:  Go to any https site, like https://google.com, click on the green padlock, click “connection”, click “certificate information”, click the “Certification Path” tab.
        1. image
      2. It should not have your company’s name in there.  If it DOES, guess what?  You’re employer is decrypting and snooping on your traffic.  They’re playing as what’s called a “Man In The Middle”.  This only works because they have control of your PC and have installed their OWN root certificate telling your browser to trust THEIR security certificates as valid owners of Google.com.  NOT COOL!
        1. What do you do about THAT?  Stop using your work computer for anything that’s personal.  That’s the only way out.  I take my own laptop to work, plug in my Android phone to it and share my T-Mobile data connection with my laptop.  I do my web browsing from my laptop and the rest of my work from my work PC.
      3. If your PC has malware on it… You might not even know it.  But if you DO know it, for heaven’s sake!  STOP USING IT… like RIGHT NOW!  Reformat your drive, re-install your OS and your software.  That’s the only realistic way to get rid of it all, and stop downloading those stupid toolbars!  Seriously!  Also, don’t download software from sources you’re not 100% certain are widely accepted as trustworthy!

Maximize Your Encryption While Browsing

  • You can’t force websites that aren’t using encryption to start using it, so avoid websites that don’t offer https .
  • If you’re on a website that’s NOT https., then click in your browser’s address bar and TYPE that s right after the “p” in “https” and click “GO”. Many websites DO offer an encrypted version of their website, but you must manually enter it.
  • Better yet, install Https Everywhere.  It’s a browser plugin available for the most popular browsers.  It will do the above step for you by using the https version of any site you go to (if that site has one available).  This will NOT force all your web traffic to be encrypted, but it sure will avoid the non encrypted versions of sites you visit, if at all possible.  NOTE!  You can still get to unencrypted sites and your traffic won’t be encrypted on those sites.

Stop your ISP, Employer, Family, Neighbors, and Hackers from snooping on your web traffic

I mentioned the TOR browser above.  This is a modified version of the FireFox browser, specially made to route your web browsing traffic through its own sub-network… kind of an underground network of participating servers and PCs around the world.  Normally, when you go to say www.google.com, you’re making a direct connection from your PC to google.com.  With Tor, you’re going to a random server around the world on the Tor network, which then forwards you to another random server somewhere else around the world, to yet another one somewhere else around the world, which finally then sends your request to google.com, but from that 3rd machine.  In other words, as far as Google is concerned, a connection was made from that other machine to them, which might be in Russia, China, America, Germany, or anywhere else in the world.  You’ll frequently see ads in other languages because of this.

This protects you from your ISP, your employer (if you can get away with installing TOR on your work PC… but just assume that even if you can, that your employer can still see your traffic because they have complete control of your work PC), your nosy family members, nosy neighbors, nosy patrons at the coffee shop, or anyone else near by that may be snooping on your traffic.

The end result is it’s damned near impossible to tie YOU to whatever you’re doing on the destination website.  It also encrypts ALL your web traffic to and from any website… BUT ONLY ENCRYPTED UP TO THAT LAST PC!  If you’re visiting an unencrypted website, YOUR TRAFFIC WILL BE UNENCRYPTED from that last PC in the Tor network to the final website, and back again.  You MUST understand this.

This should be obvious, but my experience in IT is that nothing ever is, to everyone.  So!  I’ll state this clearly:  The TOR browser does NOT encrypt your web browsing if you’re using Chrome, or FireFox, or Opera, or Internet Explorer, or Edge.  It’s only going to work on web pages you visit WITH the Tor browser.

What About Android?

You have two good solutions on Android.  One’s good.  The others even better.  Both options are the Orbot app.  But the differences are if you’re Android device is rooted or not.  A rooted Android device gets significantly better security options.

First, go download the Orbot app here from the web, or here from the Play Store.

Orbot, if you’re device is rooted, can rout ALL your internet traffic through the Tor network.  You can also configure Tor to only send traffic from specific apps through the tor network.

When your traffic goes through the tor network, anyone locally snooping on your web traffic has no way of knowing what websites you’re communicating with.  Remember, if the site you’re communicating with is NOT an https site, there will be an unencrypted connection somewhere in the world to your final site.  Don’t trick yourself into thinking it’s fully encrypted all the way through.  It only is for sites that are https.  Tor will protect you from local snoopers.  It won’t protect you from snoopers hacking into the data to the final, unencrypted website.  Got it?  Good!

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.